OpenSSL check if a SSL certificate is SHA-1 or SHA256 signed

Question

How do I check if an OpenSSL certificate issued to a site is SHA-1 or SHA-256?

I have a quite a lot of intranet sites using OpenSSL certificates and I am a bit confused as when I check the certificate properties, I get:

Internet Explorer:

Signature Algorithm: sha1RSA
Signature Hash Algorithm: sha1
Firefox:

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Under Fingerprints, I see both SHA256 and SHA-1

OpenSSL command line attempt not working

I tried using OpenSSL command, but for some reasons it errors out for me and if I try to write to a file, the output file is created, but it is blank.

openssl.exe s_client -connect mysite:443 > CertInfo.txt && openssl x509 -text -in CertInfo.txt |
find "Signature Algorithm"

Basically, I need to validate that the certificates are really SHA-1 and I need to upgrade that to a SHA256 or SHA-2.

You may want to have a look at the answers to the following questions (although not exact duplicates): http://security.stackexchange.com/questions/8645/how-do-i-check-if-a-gmail-gtalk-ssl-certificate-is-valid http://security.stackexchange.com/questions/73824/steps-to-find-out-whether-a-ssl-certificate-is-trustworthy http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification — jk - Reinstate Monica, Nov 24 '15 at 13:05
That certificate you tested with Firefox and IE is signed using SHA-1. And one more thing: fingerprints will not help you with your actual goal. — Vilican, Nov 24 '15 at 13:26

score 7 · Answer 1 · edited Jun 16 '20 at 09:49

Here's the command for Linux and Windows.

And don't be alarmed about the doubled output line (Signature Algorithm: ...). That is expected (and mandatory).

Linux: SHA1 demo site

$ echo '' | openssl s_client -connect sha1.badssl.com:443 -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm'
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

Linux: SHA256 demo site

$ echo '' | openssl s_client -connect sha256.badssl.com:443 -servername sha256.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm'
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

Windows cmd.exe: SHA1 demo site

c:\>echo " " | openssl.exe s_client -connect sha1.badssl.com:443 -servername sha1.badssl.com 2>nul | openssl.exe x509 -noout -text | findstr /C:"Signature Algorithm"
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

Windows cmd.exe: SHA256 demo site

c:\>echo " " | openssl.exe s_client -connect sha256.badssl.com:443 -servername sha256.badssl.com 2>nul | openssl.exe x509 -noout -text | findstr /C:"Signature Algorithm"
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

Fingerprint is not inside certificate

It's a computed value.

score 0 · Answer 2 · answered Sep 09 '22 at 06:52

In addition to looking at Signature Algorithm (as mentioned in the existing answer), you may have to also look for Hash Algorithm.

For example, in case of RSASSA-PSS certificates, the signature algorithm just mentions "rsassaPss" but the hash algorithm indicates whether SHA1 or SHA256 is used.

$ openssl x509 -in sha1.pem -noout -text | grep -e 'Signature Algorithm' -e 'Hash Algorithm'
    Signature Algorithm: rsassaPss
     Hash Algorithm: sha1 (default)
Signature Algorithm: rsassaPss
     Hash Algorithm: sha1 (default)

$ openssl x509 -in sha256.pem -noout -text | grep -e 'Signature Algorithm' -e 'Hash Algorithm'
    Signature Algorithm: rsassaPss
     Hash Algorithm: sha256
Signature Algorithm: rsassaPss
     Hash Algorithm: sha256